EFW Support

Support => EFW SMTP, HTTP, SIP, FTP Proxy Support => Topic started by: NinNin on Saturday 24 October 2009, 10:16:55 pm


Title: EFW 2.3 rc1 LDAP Authentication
Post by: NinNin on Saturday 24 October 2009, 10:16:55 pm
Hi everybody,
     I have problem about LDAP Authentication. I never configure authentication with this method, but because I cannot authen with Windows AD, so I try test authen with LDAP instead. After configure complete, I test launch to any web site from Client-Pc (Windows XP) and from My Server (W2k3 Server), I can launch to all website without any problem. But when I go to EFW GUI on the menu "Logs -> Proxy", the Logs can not show "Username" and when I go to "Proxy -> HTTP -> Access Policy" in the  tab "Authentication" either I select 'user based' or 'group based', it always show "Can't find the AD/LDAP Server". Anybody can suggest me abouth the solution please.

1. Configure & Setting LDAP
http://www.uppicweb.com/show.php?id=d64b3d3765809674ccfed72de2c8f742 (http://www.uppicweb.com/show.php?id=d64b3d3765809674ccfed72de2c8f742)

2. Log shows IP address and URL, but no Username
http://www.uppicweb.com/show.php?id=4063b31f48488cd97c876a8f533dfb58 (http://www.uppicweb.com/show.php?id=4063b31f48488cd97c876a8f533dfb58)

3. Can't find AD / LDAP Server <User>
http://www.uppicweb.com/show.php?id=a1130508e33589854d150593ec94623e (http://www.uppicweb.com/show.php?id=a1130508e33589854d150593ec94623e)

4. Can't find AD / LDAP Server <Group>
http://www.uppicweb.com/show.php?id=9692b8b78c2a8a41986e5b35016d0701 (http://www.uppicweb.com/show.php?id=9692b8b78c2a8a41986e5b35016d0701)



Title: Re: EFW 2.3 rc1 LDAP Authentication
Post by: nopyobe on Wednesday 02 December 2009, 10:04:39 am
I was having the same problem. Two things to point out:

#1. Be sure that you set the entire path for the user account that you are authenticating with.  For example, you have cn=administrator,dc=abc,dc=com in your Bind DN Username field.  If in fact you are authenticating with the user "Administrator", Active Directory does see this user account as a container (cn), but it resides in the "USERS" container.  The path should have been:

cn=administrator,cn=users,dc=abc,dc=com

So, for all of your settings:
AUTHENTICATION REALM: ABC.COM
LDAP Server: 4.10.0.1 (Or whatever IP your AD LDAP Server is)
Base DN Settings: cn=users,dc=abc,dc=com
Bind DN Username: cn=administrator,cn=users,dc=abc,dc=com
Bind DN Password: (Your password for Administrator)
user ObjectClass : person (Noticed that you changed this to "users")
group ObjectClass: group

#2. Ok. Now for the kicker that messed me up for a  of hours.  When you get this working and you go into the "Access Policy", you should see that you now have the ability to select groups.  You cannot pick any groups that have SPACES in them.  For example: CN:DOMAIN USERS,CN=USERS,DC=ABC,DC=COM.  It does not seem that it can interpret anything with spaces in any part of the name.

My suggestion would be to create a new group and put your users within that group.  Make sure that the new group is within the "USERS" container (Since that is your Base DN), and it does not contain any spaces.

Hope this helps.

Nopyobe.



Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media